Unrated severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026

LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy()

CVE-2026-30954

Description

LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and lists to their own links by passing integer IDs.

Affected products

Linkace/Linkacev5
Range: <= 2.1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Kovah/LinkAce/security/advisories/GHSA-vc99-cgj6-wwxhmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000